MITRE ATT&CK / T1548.002
T1548.002
Bypass User Account Control
Description
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)Many methods have been discovered to b…
Platforms
Mitigations
- M1051 — Update Software
- M1047 — Audit
- M1052 — User Account Control
- M1026 — Privileged Account Management
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- Attackers Abuse Bun JavaScript Runtime to Spread NWHStealer Infostealer
- DEEP#DOOR Python Backdoor Detection: YARA Rules, Network IOCs, and Credential Theft Defences
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →